It is important for me my sites to be protected. My data need security and protection from malicious acts. I am sure you need the same.

This article describes several important things that will help you to make your Joomla! site more secure. I described several steps you can take even the initial installation of the system. I enumerated a few tips and tricks that will make your fortress impenetrable.

During installation

Change the default prefix of the database tables. Nobody needs to know the prefix of the tables. That will prevent your site from MySQL injections.

Аfter fresh installation

After initial installation of Joomla, you should take several steps to prevent abuse in a still unprotected site. What should you do?

Globa settings and mod_rewrite

Go to "Global configuration" and make "Site Offline" because no one should visit the site until you finish the configuration.

You should also turn on the search engine friendly functionality and rewrite URL scheme. It will block many attacks, exploits and hacks.

Do not forget to rename htaccess.txt to .htaccess. :)

Disable user registration

Some sites do not enable their users to register. If yours is similar, prohibit the registration for new users. You can do it in "Global Configuration". Go on the tab "System" where the "User settings" are placed, and set "Allow User Registration" to "No".

Change the username and user ID

You should change the ID and username of the super administrator. Every time when you install the system for the first time the ID of the administrator is 62. The username is "admin", and many people know it. To change it:

Set the secret token

It is a Joomla! plug-in you will use it to add a token in the URL address. Your address becomes something like

http://mydomain.com/administraton/?mySecretToken$101

That will protect your admin area from raiding because only you will know the password for access.

Access from your IP address only

Make your administration available only from your IP address. For this purpose add ".htaccess" file in the directory "/administrator". Then put those directives in the file and change "IP Address" with your one.

Now only you can enter the area of administration, and you can do it only from the computer you are currently using.

Apache HTTP Authentication

You are able to add new authentication functionality powered by Apache web server. Put following directives in the ".htaccess" file that you created earlier.

AuthType Basic

AuthName "Forbidden access!!!"

AuthUserFile /Secure Path/.htpasswd

require valid-user

Now create a file where you will store usernames and passwords for access. The name of the file should be ".htpasswd". Save it in a safe place outside the public directory ( outside public_html ).

Set the right path to .htpasswd for the directive "AuthUserFile".

Record your message for the directive "AuthName", which will scare the invaders.

Move configuration file

It is the time when you should move the configuration.php. Download FTP client and connect to your host. Find a secure place for the file, outside public_html directory. It is necessary because you must protect the configuration file from public access. And it is the best way to do it.

Now put the new pathway to configuration.php in those files:

/administrator/includes/defines.php

/includes/defines.php

Set the new path of this constant and save the file.

define( 'JPATH_CONFIGURATION', "/New Path" );

File permissions

File permissions are very important for the security of your web site. Never leave the permissions of 0777. Thus allowing anyone to read, write or erase your files and directories.

Whenever you install an extension check the permits of new files. Connect via FTP client to the hosting, where your site and check their current status.

The directory permissions must be 0755.

The file permits must be 0644.

If there is something wrong then right-click the file/folder and select "File Permissions ...". Set the right value and click "OK".

Be careful with extensions

Be careful when install new extensions. Install only recommended and tested components from many people.

Do not leave unpublished extensions. The files are still there, which makes them dangerous. Remove extensions by uninstalling if you do not want to use them anymore.

Be always informed

Use Google Alerts for immediate notification of security flaws. You can specify keywords and a period to receive an information. Google will send you a list of publications when mentioning the specified phrases.

Sample list:

joomla vulnerability;

joomla exploit;

VirtueMart vulnerability;

jComment exploit;

I recommend you to subscribe for oCERT newsletter. You should also subscribe for the newsletters of extensions that you have installed. Thus you'll be the first to learn about patched security holes. I will be able to react quickly and be one step ahead of raiders.